How secure is Cardano?

Lately, 51% attacks on cryptocurrencies have been a hot topic. Particularly the recent attack on Ethereum Classic left communities of other cryptocurrencies wondering if their blockchains are actually secure. This long-read attempts to give a complete overview of the security model of Cardano’s settlement layer. The article first addresses Bitcoin’s security, 51% attacks and common problems in the security model of most Proof-of-Stake (PoS) cryptocurrencies on the market today. The article then continues by describing how Cardano’s PoS consensus mechanism (Ouroboros) works, the coins’ initial and current distribution, how stake pool distribution is incentivized and closes with some final thoughts.

Why is Bitcoin secure?

To understand what makes a blockchain secure in the first place, lets first have a look at Bitcoin, the cryptocurrency that started it all. The following two properties are key characteristics of any distributed ledger, including Bitcoin:

Persistence: Past transactions in the ledger should be immutable.

Liveness: New transactions should be included without undue delay.

In Bitcoin, persistence is essentially achieved combining two techniques:

Proof-of-Work (PoW): Nodes use computing power (hash power) to solve a cryptographic algorithm. The node that first does this gets to create the next block (as long as it is done before another node solves the algorithm and processes it faster). A node’s chances to ‘win’ depend on its hash power and some luck. PoW therefore creates randomization, where nodes’ chances of ‘winning’ the rights to create a block are proportional to the amount of hash power that (a pool of) nodes contribute to the network.

The longest chain rule & heaviest chain rule: When multiple chains exist, for instance due to attacks attempting to break ledger’s immutability, the chain with the longest string of blocks was originally selected as ‘the true version’ in Bitcoin. Since blocks can only be created through PoW, the longest version was considered to be the most difficult to create and could thus be the only ‘true version’ of the ledger. More recently, this was adjusted to the ‘heaviest chain rule’, where the chain that got hashed the most is selected, making this assumption more explicit.

When a node ‘wins’ and successfully produces a new block, it receives some newly ‘mined’ Bitcoin (BTC) and the fees that are paid for each included transaction. This creates an incentive for every transaction with sufficient fees to be included in the blockchain without undue delay, assuring liveness.

Bitcoin has been live for more than 10 years with 99.98% up time and zero known security breaches. Bitcoin has worked well in practice, but in 2015, its security model has also been mathematically proved to be correct. Bitcoin can therefore be considered to be secure — under the assumption that the majority of hashing power in the system is controlled by honest parties.

What is a 51% attack?

When the assumption mentioned above does not hold, and a single person or a collaborating group of people controls more than half of the network’s total hash power, a successful 51% attack can be executed. In Proof-of-Work (PoW) currencies such as Bitcoin, this would mean that the attacker is able to solve the cryptographic algorithms faster than the rest of the network, and thus create new blocks faster than the rest of the network combined.

This advantage allows the attacker to create an alternative version of the ledger that consists of a longer chain of blocks and thus rewrite the history of transactions. As a result, the blockchain loses its persistence (immutability) and liveness (censorship resistance).

If an attacker can create blocks faster than the rest, he can re-write the chain’s history (source)

While the attacker cannot rewrite account balances or execute transactions that never existed, previous transactions can be undone, where the more hash power dominance the attacker has, the longer he can ‘go back in time’. This means the attacker could spend coins he already possesses (e.g. for a valuable offline asset such as gold or for fiat on an exchange) and later undo this transaction on the ledger. The hacker then owns both the asset he traded for and the original coins he spent on it. This is called ‘double spending’.

In the recent case of the 51% attack on Ethereum Classic, there were two reasons that it was a relatively easy target. First, it utilizes the same algorithm as it’s ‘parent chain’ Ethereum, but has a hash rate that is magnitudes smaller. While it is unknown who executed the attack, it is possible that a large Ethereum miner just switched part of its hash power from mining Ethereum and started mining Ethereum classic. A second vulnerability of Ethereum Classic is that it’s hash rate is so low that it it costs just ~$4,106 per hour in energy costs to execute a 51% attack [as per 15–1–2019]. The required hash power could therefore even be fully rented on a service like NiceHash, meaning an attacker wouldn’t even need to acquire any hardware.

Ethereum Classic is both ‘NiceHash-able’ and a minority chain, 15–01–2019 (source)

Most of the 51% attacks to date therefore targeted smaller cryptocurrencies, or chains with a minority dominance in their respective mining algorithms. When it comes to Bitcoin, the distribution of its hash rate over mining pools is often the topic of discussion. For example, in July 2014, the GHash.io mining pool controlled more than 51% of Bitcoin’s total hash power, creating a single point of failure in that one instance (without consequences). The likely reason for this is that when participants attempt to maximize their payoff, simulations show that the mining pool distribution tends towards the use of a single pool, creating centralization. This is known as the tragedy of the commons: even though the participants value decentralization as a concept, none of them individually wants to bear the burden of it. However, miners’ ideals and morality might still drive them to behave differently.

On June 20th, I published an article in which I mentioned that the three largest Bitcoin mining pools controlled 52.3% of the network’s total hash rate at that time. However, as a result of the 2018 bear market and Bitcoin’s price drop, mining farms have closed their doors as mining Bitcoin became less profitable. A compelling example are the recent crisis at Bitmain, one of the largest mining hardware developers. This month, ‘unknown’ miners became the largest group in Bitcoin’s hash rate distribution, a trend that appears to be ongoing according to this publication by Nic Carter’s Coin Metrics team. While this could be a sign that Bitcoin’s hash rate distribution is getting more decentralized, it should be noted that these miners could still participate in a pool but simply chose not to share this information.

How do Proof-of-Stake systems differ?

As long as it can attract enough honest participants that make it difficult for attackers to control the majority hash power, PoW has proven to be secure. Nonetheless, there are (potential) downsides to PoW, for example:

The intensive use of computing power consumes a lot of energy. However, the efficiency of mining equipment continues to improve, miners tend to seek cheap (often renewable) energy sources and you can argue that Bitcoin’s added value to society warrant its high energy consumption. Either way, a system that can achieve similar security with less energy consumption would be favorable from an environmental perspective.

In PoW cryptocurrencies with a capped supply (e.g. Bitcoin), the number of new coins that can be mined diminishes over time, and at some point only fees are available as block rewards. It remains to be seen if block rewards based on fees will be valuable enough to cover miners’ costs and keep incentivizing them to participate in the (distant) future.

In PoW, coin holders without a (mining) node cannot directly participate in network governance (besides ‘voting with their feet’ when choosing which fork to support or opting-out by selling their coins), while their interests do not necessarily align to those of developers and miners.

PoS systems attempt to improve these aspects. In PoW, participants in the consensus mechanism essentially put fiat money ‘at stake’ by converting it into the hardware and electricity needed to participate. In PoS, participants use the blockchain’s native currency itself to prove they have ‘skin in the game’. As a result, no intensive computations are needed, lowering energy consumption and in some cases participate in the network’s governance through voting.

This may sound like a home-run, but PoS systems also have design problems.

First, there’s the problem of costless simulation, which is related to the nothing at stake problem. Since no physical resources are required to produce blocks, it is possible to build an alternative history of the blockchain and thus create multiple competing chains at no cost, unlike in PoW where energy costs need to be made for each competing chain. Somewhat related to this is the problem of grinding attacks, that if the blocks themselves are the source of randomness used to elect the creators of the blocks, an attacker can manipulate this randomness and infinitely select himself to ‘win’.

Some systems (e.g. in Casper, Ethereum’s suggested PoS protocol) have proposed that this problem might be solved by freezing the staked coins and punishing nodes by slashing their coins if malicious behavior is observed. While this may dis-incentivize nodes from acting maliciously, it also limits honest participators’ ability to spend their coins and potentially even puts honest participators’ coins at risk of slashing (e.g. in case of a 51% attack, which in Ethereum Casper’s case would be a 34% attack).

As a result, the longest chain rule is not directly applicable in PoS in the same way it is used in PoW. Nodes that (re)join the network for the first time or after being offline for a while therefore need to trust the information that they receive from other nodes. This is known as the bootstrapping problem, which increases the network’s vulnerability for long range attacks. In a long range attack, a node is offered an alternative version of the blockchain and the node has limited or no recent information available to distinguish whether this is the correct version.

PoS is not a new concept, but no PoS system to date has overcome all of these design challenges in order to reach the same level of security as Bitcoin.

How does Cardano attempt to solve these?

When the Bitcoin whitepaper was launched on October 31st, 2008, and the network went live on January 3rd, 2009, it essentially started out as an experiment. While the concept was clearly very, very well thought-out, the security claims weren’t mathematically proven to be correct in an academic setting until 2015. The concept of PoW was invented in 1997 by Adam Back (now CEO of Blockstream) for Hashcash, a system that aimed to prevent Denial of Service (DoS) attacks and e-mail spam. However, it wasn’t until it was combined with the Bitcoin’s incentive structure until it became a success.

In a similar way, Cardano hopes to take the concept of PoS and solve its shortcomings. Unlike Bitcoin, where practice preceded formal theory, it aims to do so by letting formal theory precede practice, and prove each security claim to be mathematically correct before implementing it.

Cardano constitutes of two layers; a settlement layer on which monetary transactions are run, and a computational layer that is used for smart contracts. When discussing Cardano’s security, obviously both aspects could be taken into account. This article will strictly focus on the security of Cardano’s settlement layer, whereas the security of its smart contracts layer (e.g. compared to Ethereum) will be discussed in a future article.

While Cardano as an ecosystem was launched by Input Output Hong Kong (IOHK), Emurgo and the Cardano Foundation, it is IOHK’s responsibility to develop the technology of the blockchain itself. Since its launch in 2015, over 40 academic papers related to Cardano have been published, some of which can be found on the research library on the IOHK website. The research program for settlement layer’s consensus mechanism was titled ‘Ouroboros’.

Ouroboros (Classic)The first version of Ouroboros (which is now referred to as Ouroboros Classic) focused on being secure in a synchronous setting; a situation where nodes are always online and ready to produce blocks when needed, while all their clocks are running in sync.

In Ouroboros, a time period called an ‘epoch’ is divided in 21,600 time ‘slots’ that last 20 seconds each, which means each epoch is exactly 5 days. Each slot represents a 20-second time window in which the ‘slot leader’ (a selected node) can create a block. Before an epoch begins, all slot leaders for this epoch are randomly elected.

To do so, in Ouroboros Classic a method called “Follow-the-Satoshi” is used, which was invented by Litecoin creator Charlie Lee in 2012. In a nutshell, every Lovelace (0.000001 ADA, similar to how 1 Satoshi is 0.00000001 BTC) that is staked represents a lottery ticket to win the rights to create a block. This means that anyone can participate with any amount of stake (even with 1 Lovelace) and that the chances of winning are proportional to the number of staked coins — the more stake, the higher the chance of being elected.

However, a lottery needs more than just lottery tickets— it also needs a method to randomly select the winner. To do so, in Cardano’s genesis block (the first block ever generated), a seed of random numbers was posted that determined the slot leaders during the first epoch. In Ouroboros Classic, the randomness seed for the next epoch is generated using a cryptographic scheme called publicly verifiable secret sharing (PVSS). In essence, each time a block is created, the nodes play a coin flipping game in order to generate a random number, and use PVSS to encrypt the outcomes onto the blockchain (a more detailed description can be found here), making them publicly verifiable. At the end of the epoch, these numbers are combined (using a method called XOR) to produce a final random number that all participants use to elect slot leaders for the next epoch. Since the randomness data created during the epoch feeds into the next, a closed loop is formed. This is why the protocol was named Ouroboros, after a mythical serpent biting it’s own tail.

Ouroboros Classic was the first PoS protocol that was mathematically proven to guarantee persistence and liveness in a synchronous setting, under the assumption that an honest majority is participating. However, nodes can go offline both accidentally (e.g. power outage or computer crash) or intentionally (e.g. node holder just stops), and clocks on the internet are usually not all synced, which means that the ‘real world use’ of the protocol is usually not a synchronous setting. Furthermore, the slot leader selection is fully transparent in Ouroboros Classic and slot leaders are known ahead of time, which isn’t ideal from a security perspective. This is why the second version of the protocol, Ouroboros Praos, focused on also being secure in a semi-synchronous setting and concealing the slot leader selection process.

Ouroboros PraosPraos is ancient Greek for ‘relax’, which refers to the characteristic of the protocol that participants don’t need to stress about being continuously online with a synchronized clock. To achieve this, a few techniques are combined.

First, the PVSS method was replaced by a cryptographic function called Verifiable Random Function (VRF). VRF’s were originally invented by Turing Award winner Silvio Micali, who is currently a professor at MIT and is working on a cryptocurrency called Algorand. During each epoch, participating nodes use three things in the slot leader election:

the stake distribution snapshot for the epoch that is created before it starts,

the randomness seed that is calculated based on the previous epoch,

and the VRF itself that is specified in the protocol as being a part of each node’s code base.

The snapshot of the stake distribution is quite straightforward. Before a new epoch begins, a snapshot of all the Lovelaces that are being staked and which nodes control their stake rights at that point in time is made. Since this snapshot is used throughout the slot leader election, the actual staked coins themselves are never frozen and thus remain spendable at all times.

During the epoch, nodes use the stake distribution snapshot and randomness seed that was calculated during the previous epoch as inputs for their VRF to create a pseudo-random number that determines if it has won the election. The node that wins the election creates the block and encrypts this number into the block header. All other nodes use their own VRF to validate if the number that was encrypted into the block was indeed the node that won the election based on the randomness seed. Nodes therefore don’t find out who won the slot leader election until the block is signed (or if they won themselves). This also means that if a node is up to create a block but is offline at that time, the opportunity to do so just passes along and the other nodes never find out who was supposed to create this block. The block can’t be created by another node (e.g. an attacker), since it would be recognized as invalid by the rest.

Once every epoch, (at ~3/4,) all the numbers that were encrypted into the block headers are combined (also using XOR, just like in Ouroboros Classic). All nodes use this as input to locally calculate the randomness seed for the next epoch. Since all nodes are taking the same numbers from the same blockchain and use the same method to combine them, all outcomes match, even though nodes calculate them locally. This newly created randomness seed and the new snapshot of the stake distribution are then used in the next epoch, creating an endless cycle that repeats throughout every epoch.

In Ouroboros Praos, mathematical proofs illustrated that persistence and liveness can be guaranteed even in a semi-synchronous setting, again under the assumption that an honest majority is participating. However, the bootstrapping problem hadn’t been addressed yet, which thus became the focus of the third version of protocol— Ouroboros Genesis.

Ouroboros GenesisAs described earlier, when a new node or a node that has been offline for a while (re)joins the network, it needs to be able to trust the information given to it by other nodes regarding which version of the blockchain represents the truth. In PoW, this can be done using the longest chain rule, since the most work went into creating it and thus it being considered the ‘true version’ of the ledger — under the assumption that the majority of the miners are honest. PoS protocols use alternative methods (e.g. local moving checkpoints or Byzantine Fault Tolerance), but these only work in a synchronous setting where nodes are always online, which is an assumption that is pretty much impossible to hold in a real-world setting. In the Ouroboros Genesis paper, the authors even conclude that none of the currently existing PoS systems can realize full ledger functionality in the same way that Bitcoin does in such a setting.

To solve the bootstrapping problem, a new chain selection rule called the ‘Plenitude Rule’ is proposed in Ouroboros Genesis. While the mathematical proofs that are described in the 64-paged paper are difficult to grasp for non-cryptographers (although this video by Aggelos Kiayias, one of the authors, might help), the authors show that adversarial blockchains in Ouroboros exhibit a less dense block distribution after the point where they diverge from other versions of the chain. Simply put; the attacker’s chain will contain less blocks in the time period shortly after the divergence point, despite it potentially containing more blocks altogether and being the longest chain.

Therefore, when multiple chains of similar length are available, the Plenitude Rule looks for the point at which the chains diverge and ‘went their own ways’ regarding their block distribution. It then divides the most recent past from the history of the chain into periods and determines for which version the block distribution after the divergence point is the most dense — which is the chain that will be selected. Due to this rule, nodes that are new to the network or have been offline for a while can (re)join and be guaranteed to download the correct version of the chain, as long as there are enough honest parties. This solves the bootstrapping problem and helps prevent long range attacks.

It should be noted that the Plenitude Rule will only work in a protocol like Ouroboros, where time is divided into slots and slot-leaders for the whole epoch are being elected in advance and nodes can verify if each block was created by the correct node. This combination of features make it possible to guarantee that no one can counterfeit their way into creating a block during someone else’s slot. As a result, it is impossible for a single node to create a fake chain unless it has lots and lots of empty slots — and thus automatically gets discarded due to the Plenitude Rule, as it is less dense.

Since the ‘update’ of the protocol to the Genesis version, Ouroboros is the first PoS protocol that is mathematically proven to guarantee persistence and liveness in both a synchronous and semi-synchronous setting — under the assumption that a honest majority participating, just like Bitcoin. Hence, it is more secure than other PoS protocols that require at least 2/3 honest participants (e.g. Ethereum Casper, Algorand) and equally secure as Bitcoin, but with a much lower energy expenditure and better performance.

While Cardano is similarly secure as Bitcoin to prevent 51% attacks, Bitcoin has an advantage over Cardano after a 51% attack is executed. In Bitcoin, the honest minority could just add extra hash power to regain control over the network by adding new miners to the network. In Cardano, once an attacker owns 51% of the staked or even circulating supply (the latter would also guarantee the attacker to have the majority of the staked supply), control over the network can only be regained if the attacker sells his coins or by forking the blockchain. However, is it likely that someone would be able to control that large a stake? Let’s have a look.

How was ADA originally distributed?

In a PoS protocol, staking coins is necessary to participate in the consensus mechanism. Since the existence of coins is required to execute the protocol, a certain initial coin distribution was required. At the time (2015), the concept of Initial Coin Offerings (ICO’s) was becoming popular, but there were concerns that holding an ICO by minting virtual assets and selling them to the general public might fall under security regulations. IOHK, Emurgo and the Cardano Foundation therefore chose to sell 25,927,070,538 ADA ‘vouchers’ in a private sale in Japan and a few other Asian countries that were redeemable for ADA after the main-net was launched in September 2017.

Particularly Bitcoin purists, that believe only Bitcoin had a fair launch, tend to react adversely to the idea of a new form of money being created and sold. At Bitcoins’ launch, Satoshi Nakamoto first shared the code to run a Bitcoin node publicly, allowing anyone to participate in network consensus from the start. While Nakamoto clearly had an advantage since just a few people knew of Bitcoin’s existence, the fact that anyone could have participated and that it was all but a given that Bitcoin would be a success arguably made it fair. However, the recent launch of the Grin privacy coin illustrates that a similar ‘fair launch’ is perhaps no longer possible, as ~$100 million in venture capital money was rumored to be invested in mining Grin. In essence, the choice for Cardano’s private sale was a trade-off between geographical distribution and regulatory certainty, where the latter was chosen as a priority.

The other 5,185,414,108 ADA (20% of the amount of ADA sold during the voucher sale and 16.7% of ADA’s 31,112,484,646 ADA total supply), were distributed over IOHK, Emurgo and the Cardano Foundation. IOHK has publicly shared its ADA address and that one third of the 2,463,071,701 ADA they received (of which ~97.5% is still there) is available immediately, one third is made available on June 1st, 2018 and the final third on June 1st, 2019. While the Cardano Foundation and Emurgo haven’t publicly shared their ADA address, it is believed that Emurgo originally held 2,074,165,643 ADA in this address and the Cardano Foundation originally held 648,176,763 ADA in this address, as the sum of these amounts adds up exactly to the original total. Finally, the remaining 13,887,515,354 ADA of the 45 billion ADA that will ever exist (maximum supply) will be minted as block rewards.

What is the current ADA distribution like?

Since the voucher sale had a very limited geographical reach and in a PoS system stake equals power, distributing the coins over more people is very important for network decentralization and thus security.

The principle on how this is achieved is quite simple; coin holders need to sell their coins to people that don’t own any coins yet. In Cardano’s case, the voucher sale was held in the beginning of a bull market, between September 2015 and January 2017. When Cardano’s main-net was launched in September 2017 the voucher sale participants received their ADA, the coins had already greatly appreciated in value. As a result, when the coins became tradeable on exchanges, voucher sale investors sold (some of) their coins.

The following graphic was derived from a webpage that was made by a Cardano Forum member called Markus (forum handle “Werkof”) and gives a visual representation of the coin distribution (although technically; UTxO distribution) over time. The colors represent categories of addresses holding a certain number of coins. The higher layers represent addresses holding large amounts of ADA. For instance; (i) purple = 10M-100M ADA, (ii) pink = 1M-10M ADA, (iii) dark brown = 100k-1M ADA, (iv) light brown = 10k-100k ADA, (v) darkest blue = 1k-10k ADA, (vi) second darkest blue 100–1k ADA, (vii) second lightest blue 10–100 ADA, (viii) lightest blue = 1–10 ADA and the green categories representing ‘dust’, addresses with a balance that is lower than the fees needed to use them in a transaction.

Particularly in December 2017, as Bitcoin was soaring to a new all time high and other cryptocurrencies became very popular, the graphic shows a large shift from the largest addresses to smaller addresses. Throughout the 2018 bear market, a small decrease in the top two layers can be observed, although the general trend can be best described as consolidating, since there are no significant (relevant) shifts in distribution visible. A tentative hypothesis can therefore be formed that repeated market cycles may further improve coin distribution, since bull cycles incentivize coin holders to sell (some of) their coins and new people become may be attracted due to the hype cycle.

One important thing to realize when analyzing the coin (/UTxO) distribution based on addresses is that a wallet can manage multiple addresses, and a single person can manage multiple wallets. While this would suggest that the number of addresses overestimate the number of people owning coins, the fact that exchange addresses can also contain coins of many people as well means that we really just don’t know. Although it doesn’t necessarily prove anything, analyzing how much ADA the top addresses are holding may be helpful to gain some insight in the coin distribution. AdaScan and Clio.1 are good resources for this, e.g. by using the ‘Rich List’.

On 21–1–2019, Binance is the largest ADA holder, despite only one of its addresses being listed here. The ADA addresses of IOHK and the Cardano Foundation are also labelled and visible in the top-5. Based on the number of transactions, it is likely the #4 and #7 listed addresses are also exchanges. On this day, these top-10 ADA holders hold 30% of Cardano’s current supply.

If we zoom out using the next two chart-pies, we see that on 21–1–2019, the top 1.34% of all ADA addresses (although keep in mind that this total includes a large number of ‘dust’ addresses as well) hold 22,434,630,873 ADA, which is 72.1% of the current supply.

Drawing any conclusions about the likelihood of a 51% attack on Cardano happening based on these numbers is arbitrary at best. However, seeing the coin distribution and number of active addresses grow over time will be necessary to increase confidence in the assumption that enough people are using Cardano to make it unlikely that a single person or collaborating group will be able to control 51% of the stake. Let’s have a look at how acquiring 51% of the stake would work.

How would acquiring 51% of the stake work?

At the time of writing, staking is not possible yet on Cardano. It is therefore unknown how much of the current circulating supply of ADA will be staked once this is possible. However, if a single person or entity were to control 51% of the current circulating supply (25.927.070.538 ADA), controlling 51% of the stake is guaranteed. According to CoinMarketCap, one ADA is worth $0,042971 at the time of writing (21–1–2019), which means Cardano’s current market cap is $1.114.118.098. At current prices, an attacker would therefore need to own at least $557.059.050 worth of ADA to be sure a 51% attack can be executed on Cardano. Based on the all time high price, this amount of ADA would be even be worth $17+ billion.

While this already illustrates that the attacker would literally put a lot of money ‘at stake’ in attacking the network, acquiring it might be even more expensive since the resulting buy pressure would likely cause a large increase of ADA’s price. Besides the price itself, acquiring that much ADA will be difficult, as it requires the market to be highly liquid. Due to the limited options to currently buy ADA over the counter (OTC), having enough exchange volume would be important for the attacker in this scenario.

At the time of writing (21–1–2019), Cardano has a 24-hour trade volume of $16.367.168 in all markets combined based on CoinMarketCap. To be very conservative, let’s assume that this doesn’t include back-and-forth trading and represents the unique number of ADA being traded. Despite this being the most favorable situation possible for the attacker, acquiring 50% of all ADA via exchanges would still take over 34 days at similar volume and unique coins being sold on the market every day, without anyone else buying.

However, if you zoom in, this turns out to be a huge underestimation. Based on CoinMarketCap, Binance’s ADA/USDT and ADA/BTC markets are the two most liquid ADA markets and are good for 35% of all ADA trading. However, at the time of writing, ‘just’ 16.12 million ADA are available in these two markets at the time of writing. Under the conservative assumption that this amount of unique ADA will be available every day, it would take over 1,608 days to market buy up 50% of the circulating supply. However, market buying all available ADA on a daily basis would make the price shoot through the roof, likely attracting new sellers (though perhaps also new buyers?). Either way, these (albeit over-simplistic) examples illustrate that acquiring a majority of the stake will be both time-consuming and expensive.

Since attackers aren’t ‘honest participants’ to begin with, acquiring a large part of the stake through phishing attacks, malware attacks and other forms of hacks seems to be another logical possibility. Furthermore, it is possible that the attacker doesn’t focus on acquiring the actual coins, but on hacking the nodes in the network or running multiple stake-pools himself (a sybil attack). After all, if the attacker gains control over the nodes that own the stake rights to a lot of coins that were delegated to the pool, he can execute adversary behavior without actually owning the coins. Besides coin distribution, having a large distributed network of nodes in which all these coins are staked is also important for network security.

How is stake pool distribution incentivized in Cardano?

Just like in the development of Ouroboros, a lot of academic research in the field of game theory went into creating an incentive structure that incentivizes stake pools not to grow too large. In IOHK’s July 2018 publication on the topic, the researchers give mathematical proof that as a result of their incentive structure, the desired number of stake pools is a Nash equilibrium (a game theoretic concept that was names after Nobel prize winner John Nash, a name some people might also recall from the hit movie “A Beautiful Mind” about his life that won 4 Oscar’s). As a result, the financial interest of both the people participating in the system and ‘doing what is right’ for the system are aligned. This means that as long as the participants make decisions that are best for them financially, they are automatically also ‘doing what is right’ for the protocol. So how does this optimize stake pool distribution?

As mentioned earlier, the chances of winning slot leader elections are proportional to the amount of stake. This means that a stake pool that holds a lot of ADA is more likely to win slot leader elections, essentially giving it more power. This means that stake pools should be incentivized to distribute the stake over as many stake pools as possible. The incentive structure therefore is based on a formula that describes that the maximum proportion of the total rewards pool that a stake pool can receive is limited to 1/k, where k is the number of desired stake pools. To get a grasp of what could be a realistic expectation regarding k, in May 2018, IOHK asked people that were interested in running a stake pool on test-net to register. They initially expected that ~100 stake pools would join, but they received well over a thousand applications. While no formal announcements have been made on this, it is been rumored that 1,000 will be used as parameter k.

Let’s look at an example. Two stake pools, A and B, respectively control 0.03% and 0.12% of the total network stake. Stake pool A will receive 0.03% of the rewards pool, but B will receive 0.10%, since the maximum reward it can receive is 1/1,000 = 0.10%. Since the stake pool rewards are also distributed proportional to their participants’ stake in that pool, the participants in stake pool B receive relatively less stake rewards than they would have had they delegated their stake to stake pool A, creating a financial incentive for them to do so and create a more optimal stake pool distribution as a result. To help Cardano stakeholders determine which pool would give the most favorable results, a pool-sorting mechanism that will provide visual representation of the best choices available will be built into Cardano’s wallets.

However, we’re not done yet. How do we prevent an attacker from creating hundreds of small stake pools (a sybil attack), enticing stake holders to delegate to these pools using very favorable conditions and gaining control over the majority of the stake?

While an obvious solution would be to make stake pool registration very expensive, this would prevent honest people from creating stake pools, which would actually be bad for decentralization. In IOHK’s October 2018 article on the topic, the authors introduce a solution where stake pool creators can increase the potential rewards of the pool by ‘pledging’ some of their personal stake to it. As a result, it is financially more attractive for stake holders to delegate their stake to pools in which stake pool holders have pledged a lot of their own stake to their own pool. This means that in order to execute a sybil attack, the attacker still needs a lot of ADA to be able to create enough pools that are profitable enough to compete with honest stake pools in enticing other stake holders to join them.

As a final note, IOHK’s researchers are also considering to replace the dependency of rewards on the pool leader’s stake with a reputation system in future versions of Cardano. Such a system would allow people with little stake to make their pools more attractive by running their pools reliably and efficiently over a long period of time, but needs to be studied further.

How can the chances of a 51% attack on Cardano be limited?

As just discussed, a higher ADA price will result in higher costs to collect 51% of the stake. ADA price appreciation will also create an incentive for large ADA holders to sell (some of) their stake and likely attract new people to the network, potentially allowing for an improved coin distribution. If ADA were to follow a similar path as Bitcoin and go through multiple market cycles over the next few years, coin distribution may improve.

In Cardano, exchanges will get special enterprise exchange addresses that cannot participate in network consensus and governance. Although there is no technical way to enforce exchanges to use these, social pressure by the exchanges’ customers could push them to do so. Regardless of whether you believe exchanges might actually participate in a 51% attack, it is important not to store your ADA on an exchange unless you’re actively trading. Off course owning your own private keys is very important by itself (“not your keys — not your coins!”), but by participating in network consensus and governance yourself, you’re increasing the chance there will be an honest majority participating. This off course is especially true if you own a lot of ADA, as this means you are in a good position to run a profitable stake pool yourself. You can do so by running your own node or, if not, by delegating your stake to a stake pool that you know you can trust.

Conclusions

Cardano’s consensus mechanism has been mathematically proven to be secure under the assumption that the majority (>50%) of its participants are honest. The fact that it relies on this assumption means that it’s not resistant against 51% attacks by definition. This may sound threatening but is in fact no different than any other cryptocurrency on the market, as emphasized by Litecoin founder Charlie Lee after the 51% attack on Ethereum Classic.

“By definition, a decentralized cryptocurrency must be susceptible to 51% attacks whether by hashrate, stake, and/or other permissionlessly-acquirable resources. If a crypto can’t be 51% attacked, it is permissioned and centralized.” — Charlie Lee

A successful 51% attack on Cardano would have major implications for the system. Unlike in Proof-of-Work currencies, where the control over the network can be regained by adding more hash power to the network, the attackers’ majority stake position cannot be taken away from him/her unless the attacker sells his/her coins or the blockchain is forked.

On the other hand, since a successful 51% attack on Cardano would require the attacker to hold a majority (>50%) of all staked coins (which would be guaranteed if >50% of the circulating supply is held; ~13 billion ADA), such an attack would require the attacker to literally put an enormous amount of money ‘at stake’. Malicious behavior would potentially depreciate the value of the coins that the attacker is using as stake. At current prices, would anyone invest hundreds of millions of dollars in a cryptocurrency to then attack the system, potentially crashing the value of the investment itself?

While this is a non-zero chance, it appears to be unlikely that the relatively straightforward type of 51% attack that we’ve described earlier will happen in Cardano. If a single entity were to go through all the trouble of acquiring 51% of the staked or even circulating supply, using the acquired power to influence decision-making through the planned on-chain governance is arguably more likely. For instance, by enforcing the acceptance of self-submitted funding proposals in the planned treasury model or enforce decisions that are in the best interest of the entity controlling the stake. Therefore, distributing ADA’s supply over many individuals through free market dynamics is very important, regardless of how the risk of a 51% attack is assessed.

Ultimately, it is up to the market to decide how the pro’s and con’s of the characteristics of Cardano weigh against that of other cryptocurrencies like Bitcoin and to what degree multiple systems will share the capitalization of the total cryptocurrencies market. In essence, it’s not the technology itself that determines the product’s value, but the social phenomena that surround it. For instance, it is possible that the market values the fact that in Bitcoin’s, the honest majority’s hash power dominance can always be ‘re-captured’ after a successful 51% attack as a very important aspect. In this scenario, it could mean that the market considers Bitcoin to be a superior store of value, giving its native asset (BTC) a higher price than Cardano’s native asset (ADA).

Nonetheless, it could still mean that Cardano will be utilized for being a more efficient and cheap way to interact between systems and use smart contracts in a secure way. In this intentionally high-contrasted scenario, it means that Cardano would basically function as a side-chain to Bitcoin. However, the more intensively Cardano’s system is used, the more fees will be available as stake rewards. This incentivizes staking and lowers sell pressure. If the demand for coins stays consistent (owning ADA is necessary to pay for fees), the coin price increases, making a 51% attack more expensive and thus less likely. This improves the system’s security, making it a better Store of Value and thus more competitive as a currency, creating a positive feedback loop.

Those that are familiar with the Lindy effect, which is often linked to Bitcoin’s monetary evolution, will recognize this process. The Lindy effect states that a technology’s remaining life expectancy is proportional to its current age, meaning that the longer it exists, the more its trusted to continue to exist. This means it’ll take time for Cardano’s young system to be trusted — particularly in comparison to Bitcoin that already abides resiliently for over 10 years with 99.98% up-time and zero known immutability breaches. The rigorous academic basis of Cardano is arguably the best possible foundation to build on, but it still needs to prove it is resilient against attacks ‘in the wild’ and thus undergo the test of time to earn the trust of investors. To justify an increasing ADA price that is important in Cardano’s security proposition, it is essential that the system will actually be used. It is therefore no coincidence that this is exactly what IOHK, Emurgo and the Cardano Foundation are focusing on, as illustrated by a recent tweet by IOHK CEO Charles Hoskinson: